5.2 AppSec key capabilities.md

In this section, we’ll cover more details about the core tools and capabilities that are used in application security:

Introduction

In this lesson, we’ll cover what the key capabilities and tools that are used in application security are.

AppSec key capabilities and tools

Key capabilities and tools used in application security are essential for identifying, mitigating, and preventing security vulnerabilities and threats in software applications. Here are some of the most important ones:

1. Static Application Security Testing (SAST):

• Capabilities: Analyzes source code, bytecode, or binary code to identify security vulnerabilities in the application's codebase.

• Tools: Examples include Fortify, Checkmarx, and Veracode.

2. Dynamic Application Security Testing (DAST):

• Capabilities: Scans a running application to identify vulnerabilities by sending input requests and analyzing responses.

• Tools: Examples include ZAP, Burp Suite, and Qualys Web Application Scanning.

3. Interactive Application Security Testing (IAST):

• Capabilities: Combines elements of SAST and DAST to analyze code during runtime, providing more accurate results and reducing false positives.

• Tools: Examples include Contrast Security and HCL AppScan.

4. Runtime Application Self-Protection (RASP):

• Capabilities: Monitors and protects applications in real-time, detecting and responding to security threats as they occur.

• Tools: Examples include Veracode Runtime Protection and F5 Advanced WAF with RASP.

5. Web Application Firewalls (WAFs):

• Capabilities: Provides a protective layer between the application and the internet, filtering incoming traffic and blocking malicious requests.

• Tools: Examples include ModSecurity, AWS WAF, and Akamai Kona Site Defender.

6. Dependency Scanning:

• Capabilities: Identifies vulnerabilities in third-party libraries and components used in the application.

• Tools: Examples include OWASP Dependency-Check and Snyk.

7. Penetration Testing (Pen Testing):

• Capabilities: Simulates real-world attacks to discover vulnerabilities and assess the security of an application.

• Tools: Performed by certified ethical hackers and security professionals using various tools like Metasploit and Nmap.

8. Security Scanning and Analysis:

• Capabilities: Scans for known vulnerabilities, configuration errors, and security misconfigurations.

• Tools: Examples include Nessus, Qualys Vulnerability Management, and OpenVAS.

9. Container Security Tools:

• Capabilities: Focus on securing containerized applications and their environments.

• Tools: Examples include Docker Security Scanning and Aqua Security.

10. Secure Development Training:

• Capabilities: Provides training and awareness programs for development teams to foster secure coding practices.

• Tools: Customized training programs and platforms.

11. Security Testing Frameworks:

• Capabilities: Provides comprehensive testing frameworks for different application security testing needs.

• Tools: OWASP Amass, OWASP OWTF and FrAppSec.

12. Secure Code Review Tools:

• Capabilities: Review source code for security vulnerabilities and coding best practices.

• Tools: Examples include SonarQube and Checkmarx.

13. Secure APIs and Microservices Tools:

• Capabilities: Focus on securing APIs and microservices, including authentication, authorization, and data protection.

• Tools: Examples include Apigee, AWS API Gateway, and Istio.

Further reading

• What Is Application Security? Concepts, Tools & Best Practices | HackerOne
• What is IAST? (Interactive Application Security Testing) (comparitech.com)
• 10 Types of Application Security Testing Tools: When and How to Use Them (cmu.edu)
• Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default | Cyber.gov.au